IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.78 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-06-08
[10:25]<ryys>Qantourisc: http://l7-filter.sourceforge.net/PacketFlow.png <- that might be a bit clearer
[10:25]<qzgvjuzysa>thanks :) doesn't fit on my screen though :D
[10:25]<ryys>huge though, we once used a plotter and stuck it on the wall as a poster....that was handy
[10:26]<ryys>:)
[10:26]<ryys>i use the image zoom plug-in for FF, that works pretty well
[10:26]<qzgvjuzysa>Riis: yes seems to be dead correct too ...
[10:26]<qzgvjuzysa>Riis: zoom-plugin ...
[10:28]<qzgvjuzysa>Riis: there are a lot of zoomers, any you recommend ?
[10:28]<ryys>"Image Zoom" it's called
[10:28]<ryys>0.2.5 it sholud be up to
[10:28]<ryys>haven't tried the otheres though
[10:29]<qzgvjuzysa>Riis: does image zoom use anti aliasing ?
[10:30]<ryys>i think so
[10:30]<ryys>only not at the first zoom level, because FF handels that itself
[10:34]<qzgvjuzysa>Riis: zoomfox seems better at first sight
[10:34]<xzgmzyx>iptables -A INPUT -s rape -d * = rape protection
[10:36]<qzgvjuzysa>Riis: certainly is a "complex" flow
[10:36]<ryys>Qantourisc: yes, best suited for large paper plots :)
[10:37]<qzgvjuzysa>can i ask about "processing decision" ? based upon what is it made ?
[10:38]<qzgvjuzysa>Riis: ebtables ? i haven't came across that in my kernel config ?
[10:38]<ryys>Qantourisc: well the plot is from the l7-filter patch
[10:38]<ryys>so some of it is not std iptables
[10:38]<qzgvjuzysa>Riis: ow :)
[10:39]<ryys>sorry, forgot to mention :)
[10:39]<qzgvjuzysa>Riis: and those are ? qdisc and ebtables i presume ?
[10:39]<ryys>hmm, not sure
[10:39]<qzgvjuzysa>:)
[10:39]<ryys>i think qdisc is std Qos in iptables
[10:39]<qzgvjuzysa>a right
[10:40]<qzgvjuzysa>and ebtables ?
[10:40]<ryys>that might be an l7-filter thing
[10:40]<qzgvjuzysa>Riis: you are not sure ? :)
[10:40]<ryys>Qantourisc: it is like 1.5+ years since we used this stuff :)
[10:40]<qzgvjuzysa>ow :D
[10:41]<ryys>Qantourisc: I have a great 80 page report on it's potential use in Danish though. If you fancy :)
[10:41]<qzgvjuzysa>Riis: considering that this page is like 4 times as complex as any i have seen i presume iptables doesn't use ebtables ...
[10:41]<ryys>probably right
[10:41]<qzgvjuzysa>Riis: sorry my Danish is not so well ....
[10:42]<ryys>Qantourisc: it is a messed up language anyway, so that's ok :)
[10:42]<qzgvjuzysa>:)
[10:42]<qzgvjuzysa>Riis: happen to have another image ?
[10:42]<ryys>Qantourisc: not that I know of...
[10:43]<qzgvjuzysa>Riis: hmm gogole iptables also seems to work well
[10:43]<ryys>it should :)
[10:43]<qzgvjuzysa>http://linux-ip.net/nf/nfk-traversal.png <= this seems the best one yet
[10:45]<qzgvjuzysa>Riis: btw how hard is t to make a safe firewall in iptables ?
[10:45]<ryys>hmm, depends on how wuch you want it to do
[10:46]<qzgvjuzysa>hmm basic natting and port forwarding is working out for the old router
[10:46]<ryys>a quick couple of rules to deny all traffic and then a few to allow the needed services....
[10:46]<ryys>but I _really_ don't know iptables
[10:46]<qzgvjuzysa>:)
[10:46]<ryys>it's just something I use sometimes, but will never understand fully :)
[10:47]<qzgvjuzysa>ok thanks a lot ... now to find time :)
[10:51]<qzgvjuzysa>Riis: you know stuff about security though ? would it help giving a nick 2 ip's to prevent mistakes when making the routing rules ? so IP 1 only accepts gateway stuff and IP 2 only accepts traffic with the computer as destination ?
[10:55]<ryys>Qantourisc: finding time is half the job done :) I guess it could avoid some potential confusion, so I don't see why it would be a bad (read: insecure) idea
[10:56]<xzgmzyx>my joke sucked didint it lol about the rape protection
[10:56]<ryys>Qantourisc: but I'm really not the guy to ask, I just know my NAT and TCP/IP, iptables is just a dark cloud I stab at randomly
[10:56]<qzgvjuzysa>Riis: rolf :)
[10:56]<ryys>XandriX: I don't master the proper syntax to get your joke :)
[10:56]<qzgvjuzysa>XandriX: how about mister state rape ?
[10:56]<ryys>Qantourisc: :)
[10:57]<xzgmzyx>Qantourisc, lol
[10:57]<qzgvjuzysa>Riis: each package has a state
[10:57]<xzgmzyx>iptables -A INPUT -s rape -d * = rape protection
[10:57]<qzgvjuzysa>Riis: witch you can filter on
[10:57]<qzgvjuzysa>Riis: states are RELATED, CONNECTED, euu some others i fergot
[10:58]<qzgvjuzysa>Riis: anyhow rape is not one of them ...
[10:59]<qzgvjuzysa>Riis: so basically that rule says: Each package that comes into your pc, if it has has the state "rape" and it going to anywhere .... euu xandrix, didn't you ferget to add reject/drop ?
[10:59]<qzgvjuzysa>XandriX: you happen to know how hard it is to make a safe NAT ?
[10:59]<xzgmzyx>lmao im just messin i wanted to see if anyone would see my flaw on that one
[11:00]<qzgvjuzysa>or reply for that matter :)
[11:01]<xzgmzyx>that to lol
[11:02]<qzgvjuzysa>XandriX: so ... how about some real iptable rules now ? :)
[11:02]<ryys>Qantourisc: never!
[11:02]<ryys>:)
[11:02]<xzgmzyx>Qantourisc, lol
[11:02]<ryys>iptables is only meant as a joke syntax! :)
[11:04]<xzgmzyx>Qantourisc, we are we just like to joke sheesh :P
[11:05]<qzgvjuzysa>:)
[11:06]<xzgmzyx>openvpn is a bitch to secure with syn fin and ack
[11:06]<qzgvjuzysa>instead i found someone in #iptables for whom iptables is just a dark cloud, and another person trying to install iptables on his behind to get rape pretection :D
[11:07]<qzgvjuzysa>XandriX: doesn't that thing has some sort of NAT traversal ?
[11:07]<xzgmzyx>Qantourisc, lmao
[11:08]<xzgmzyx>Qantourisc, but i haveto let outgoing and deny incoming its basic and no nat
[11:08]<qzgvjuzysa>:)
[11:09]<qzgvjuzysa>i'm still wondering how i will protect me self from DOS attacks ...
[11:09]<xzgmzyx>Qantourisc, u mean for real ?
[11:09]<qzgvjuzysa>XandriX: no on cpu base
[11:09]<xzgmzyx>thats what i ment lol
[11:09]<sgnzcm_bzsvzzm>nothing can stop you from being blown off the internet, if somebody throse more bandwidth of incoming data, than your ISP connect supports
[11:09]<qzgvjuzysa>XandriX: duno how one could ever defend against an DOS attack for your ISP pipe
[11:09]<sgnzcm_bzsvzzm>absolutely nothing
[11:10]<sgnzcm_bzsvzzm>throws
[11:10]<qzgvjuzysa>Sneaky_Bastard: there is a solution :) you monitor each package that comes in
[11:10]<sgnzcm_bzsvzzm>doesn't matter how it's done -- DoS or DDoS
[11:10]<xzgmzyx>u can call ur isp and ask them to ban that ip from your connection
[11:10]<qzgvjuzysa>Sneaky_Bastard: you gets it's ip, you trace the owner
[11:10]<sgnzcm_bzsvzzm>if it's DDoS, that will not work
[11:10]<qzgvjuzysa>Sneaky_Bastard: you drive to the owners house, beat the guy, kill his computer and go the next person
